Re: Public Discussion re: Inclusion of the ANF Secure Server Root CA

On March 10, 2021, we began the public discussion period [Step 4 of the Mozilla Root Store CA Application Process ] for ANF’s inclusion request. One commenter recounted some of ANF's certificate misissuance events and expressed concern that CAs

Mozilla Root Store Policy MRSP 2.7.1 Update

All, Version 2.7.1 of the Mozilla Root Store Policy (MRSP) is now saved in Mozilla's GitHub repository with an effective date of May 1, 2021. See https://github.com/mozilla/pkipolicy/blob/master/rootstore/policy.md Here is the redline: https://github.com/mozilla/pkipolicy/pull/223/files Soon we

Providing Auditor Qualifications (was Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications)

#Providing_Auditor_Qualifications Please also let me know if you have any questions. Thanks, Ben On Fri, Mar 26, 2021 at 3:20 PM Ben Wilson wrote: > All, > As discussed previously, here is a draft amendment to the Audit Statements > wiki page for your review and comment: > > https://wiki.mozilla.org/CA/A

Re: Prioritization of Root CA Inclusion Requests

For future reference, this is now posted here: https://wiki.mozilla.org/CA/Prioritization. On Wed, Mar 24, 2021 at 4:49 PM Ben Wilson wrote: > All, > > I'd like to have you review the prioritization proposal below, which will > help us as we process CA inclusion request

Re: Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

All, As discussed previously, here is a draft amendment to the Audit Statements wiki page for your review and comment: https://wiki.mozilla.org/CA/Audit_Statements#Providing_Auditor_Qualifications Sincerely yours, Ben ___ dev-security-policy mailing list

Prioritization of Root CA Inclusion Requests

All, I'd like to have you review the prioritization proposal below, which will help us as we process CA inclusion requests. ( https://wiki.mozilla.org/CA/Application_Process) Thanks, Ben --- Prioritization of CA Root Inclusion Requests will be based on the factors described

Public Discussion of Asseco's Root Inclusion Request

, misissuances, and EV compatibility, and they passed those tests. Thus, this email begins a three-week public discussion period, which I’m scheduling to close on or about Wednesday, 14-April-2021. A representative of Asseco must promptly respond directly

Re: Policy 2.7.1: MRSP Issue #206: Limit re-use of domain name verification to 398 days

gt;> >> >> The BRs limit data reuse to 825 days since March 2018 so I don’t think >> this adds anything. If it does mean something more than that, can you >> update to make it more clear? >> >> >> >> >> >> From: Ben Wilson >> Sent: T

Re: Policy 2.7.1: MRSP Issue #206: Limit re-use of domain name verification to 398 days

I've edited the proposed subsection 5.1 and have left section 5 in for now. See https://github.com/BenWilson-Mozilla/pkipolicy/commit/d37d7a3865035c958c1cb139b949107665fee232 On Tue, Mar 16, 2021 at 9:10 AM Ben Wilson wrote: > That works, too. Thoughts? > > On Tue, Mar 16, 2021 a

Re: Policy 2.7.1: MRSP Issue #206: Limit re-use of domain name verification to 398 days

erver certificates issued on or after October 1, 2021, each > dNSName or IPAddress in a SAN or commonName MUST have been validated accordance with the CABF Baseline Requirements?> within the prior 398 days. > > > > -Original Message- > From: dev-security-policy > On Beh

Re: Policy 2.7.1: MRSP Issue #153: Cradle-to-Grave Contiguous Audits

Bruce, The answer would be yes because we check the validity of the root CA certificate and other CA certificates. Ben On Thu, Mar 11, 2021 at 10:33 AM Ben Wilson wrote: > Hi Bruce, > I think the answer is yes. A CA certificate is no longer trusted once it > has expired or bee

Re: Policy 2.7.1: MRSP Issue #153: Cradle-to-Grave Contiguous Audits

Hi Bruce, I think the answer is yes. A CA certificate is no longer trusted once it has expired or been revoked (or added to OneCRL for subCAs) or removed (roots). But I'm double-checking on the case of certificates with validity periods that extend past the expiration of the root. Ben On Thu, Mar

Re: Public Discussion re: Inclusion of the ANF Secure Server Root CA

Here you go: https://testvalidsslev.anf.es https://testrevokedsslev.anf.es https://testexpiredsslev.anf.es On Thu, Mar 11, 2021 at 6:38 AM Andrey West Siberia via dev-security-policy wrote: > Hello, > I can't find the test URIs for this root certificate... >

Re: Synopsis of Proposed Changes to MRSP v. 2.7.1

Thanks, Ryan I'll work on incorporating your suggestions into the draft we're working on. Ben On Wed, Mar 10, 2021 at 9:10 AM Ryan Sleevi wrote: > > > On Mon, Mar 8, 2021 at 7:08 PM Ben Wilson via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >

Public Discussion re: Inclusion of the ANF Secure Server Root CA

-March-2021. We encourage you to participate in the review and discussion. A representative of ANF must promptly respond directly in the discussion thread to all questions that are posted. Sincerely yours, Ben Wilson Mozilla Root Store Program ___ dev

Synopsis of Proposed Changes to MRSP v. 2.7.1

All, Below are the summaries of the proposed resolutions of the issues slated to be addressed by version 2.7.1 of the Mozilla Root Store Policy. A full redline of the proposed changes can be seen here by clicking on the "Files changed" tab:

Re: Policy 2.7.1: MRSP Issue #218: Clarify CRL requirements for End Entity Certificates

All, We are going to postpone the resolution of this Issue #218 and the addition of language to address the "Full CRL" until MRSP version 2.8. Thanks for your input thus far. Ben On Thu, Feb 25, 2021 at 10:59 AM Ben Wilson wrote: > As placeholder in the Mozilla Root Store Policy,

Re: Policy 2.7.1: MRSP Issue #206: Limit re-use of domain name verification to 398 days

All, Here is the currently proposed wording for subsection 5.1 of MRSP section 2.1: " 5.1. for server certificates issued on or after October 1, 2021, verify each dNSName or IPAddress in a SAN or commonName at an interval of 398 days or less;" Ben On Fri, Feb 26, 2021 at 9:48 AM Ryan Sleevi

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

vided to Mozilla of the audit team qualifications sufficient for Mozilla to determine the competence, experience, and independence of the auditor." Ben On Thu, Feb 18, 2021 at 11:27 AM Ben Wilson wrote: > All, > > I have edited the proposed resolution of Issue #192 > <htt

Re: Policy 2.7.1: MRSP Issue #187: Require disclosure of incidents in Audit Reports

, February 12, 2021 at 10:27:11 AM UTC-6, Ben Wilson wrote: > > I'm fine with that suggestion. > > On Fri, Feb 12, 2021 at 5:06 AM malcol...--- via dev-security-policy < > > dev-secur...@lists.mozilla.org> wrote: > > > > > On Thursday, 11 February 2021 at 21:14

Re: Policy 2.7.1: MRSP Issue #153: Cradle-to-Grave Contiguous Audits

lieve I received any comments on that language. See https://groups.google.com/g/mozilla.dev.security.policy/c/DChXLJrMwag/m/uGpEqiEcBgAJ On Sat, Mar 6, 2021 at 9:17 PM Ben Wilson wrote: > Thanks, Bruce, for raising the issue of pre-generated, yet unassigned > keys. The intent was to cover th

Re: Policy 2.7.1: MRSP Issue #153: Cradle-to-Grave Contiguous Audits

Thanks, Bruce, for raising the issue of pre-generated, yet unassigned keys. The intent was to cover this scenario. We are aware that CAs might generate 1000s of keys in a partition and then years later assign a few of them as CA keys, others as OCSP responder keys, etc., and some might never be

Re: Public Discussion for Inclusion of e-commerce monitoring's GLOBALTRUST 2020 Root

final objections. Thanks, Ben On Mon, Feb 22, 2021 at 1:51 PM Ben Wilson wrote: > Just a reminder that discussion is ongoing and scheduled to close this > Friday, 26-Feb-2021. > > On Thu, Feb 4, 2021 at 4:39 PM Ben Wilson wrote: > >> This is to announce the beginning of

Re: Policy 2.7.1: MRSP Issue #206: Limit re-use of domain name verification to 398 days

for server certificates issued on or after Feb 1, 2022, each dNSName > or IPAddress in a SAN must have been validated within the prior 398 days > > Is that a compromise you could consider? > > Doug > > > -Original Message- > From: dev-security-policy > On Behalf Of B

Re: Policy 2.7.1: MRSP Issue #153: Cradle-to-Grave Contiguous Audits

ddress the scenarios that were raised. So I am going to assume that this issue is resolved and that we can move this proposed change forward. See https://github.com/BenWilson-Mozilla/pkipolicy/commit/c8bdb949020634b1f8fa31bc060229c600fe6f9d On Fri, Feb 12, 2021 at 11:16 AM Ben Wilson wrote: >

Re: Policy 2.7.1: MRSP Issue #206: Limit re-use of domain name verification to 398 days

en On Wed, Dec 2, 2020 at 3:00 PM Ben Wilson wrote: > All, > > I have started a similar, simultaneous discussion with the CA/Browser > Forum, in order to gain traction. > > <http://goog_583396726> > > https://lists.cabforum.org/pipermail/servercert-wg/2020-December/002

Re: Policy 2.7.1: MRSP Issue #218: Clarify CRL requirements for End Entity Certificates

vocation > status update for any certificate in their scope. > > Aaron > > On Sun, Jan 24, 2021 at 10:22 AM Ben Wilson via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> All, >> >> Another suggestion came in for clarification that h

Re: Public Discussion for Inclusion of e-commerce monitoring's GLOBALTRUST 2020 Root

Just a reminder that discussion is ongoing and scheduled to close this Friday, 26-Feb-2021. On Thu, Feb 4, 2021 at 4:39 PM Ben Wilson wrote: > This is to announce the beginning of the public discussion phase ( > https://wiki.mozilla.org/CA/Application_Process#Process_Overview, (Ste

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

All, I have edited the proposed resolution of Issue #192 as follows: Subsection 3 of MRSP Section 3.1.4. would read: "The publicly-available documentation relating to each audit MUST contain at

Re: Policy 2.7.1: MRSP Issue #207: Require audit statements to provide information about which CA Locations were audited

k to https://wiki.mozilla.org/CA/Audit_Statements#Audited_Locations, and then elaborating there as needed. On Wed, Jan 13, 2021 at 10:25 AM Ben Wilson wrote: > Thanks, Jeff. These are useful comments, and I will take them into > consideration in revising our proposal. > > On Tue, Jan 12, 202

Re: Policy 2.7.1: MRSP Issue #153: Cradle-to-Grave Contiguous Audits

still the issue here? Or has it already been resolved with the language further above? Thanks, Ben On Sun, Jan 24, 2021 at 12:55 PM Ben Wilson wrote: > I agree that we should add language that makes it more clear that the key > destruction exception for audit only applies to the CA ce

Re: Public Discussion of GlobalSign's CA Inclusion Request for R46, E46, R45 and E45 Roots

y-policy > > On > > Behalf Of Nick Lamb via dev-security-policy > > Sent: donderdag 11 februari 2021 19:12 > > To: dev-security-policy@lists.mozilla.org > > Cc: Ben Wilson > > Subject: Re: Public Discussion of GlobalSign's CA Inclusion Request for > R46, >

Re: Policy 2.7.1: MRSP Issue #187: Require disclosure of incidents in Audit Reports

I'm fine with that suggestion. On Fri, Feb 12, 2021 at 5:06 AM malcol...--- via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Thursday, 11 February 2021 at 21:14:13 UTC, Ben Wilson wrote: > > 11. all incidents (as defined in section 2.4), including

Re: Policy 2.7.1: MRSP Issue #187: Require disclosure of incidents in Audit Reports

" - which would include those that occurred or were open - at any time during the audit period. Additional guidance and interpretation of the above would be available on the wiki. On Thu, Jan 28, 2021 at 2:05 PM Ryan Sleevi wrote: > > > On Sun, Jan 24, 2021 at 11:33 PM Ben Wilson vi

Policy 2.7.1: MRSP Issue #221: Wrong hyperlink for "Material Change" in MRSP Section 8

All, I am proposing for v. 2.7.1 a minor change that corrects a hyperlink issue in MRSP section 8. The link to "material change" here redirects to "alteration of instruments" - https://legal-dictionary.thefreedictionary.com/Material+Changes, which is altogether wrong since we're talking about a

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

ade available here on the wiki - https://wiki.mozilla.org/CA/Audit_Statements#Auditor_Qualifications. <https://github.com/BenWilson-Mozilla/pkipolicy/commit/57063dc07f5b753184c94dbf5d0d30d0b9b90789> Ben On Thu, Jan 28, 2021 at 2:10 PM Ryan Sleevi wrote: > > On Thu, Jan 28, 2021 at 3

Re: Policy 2.7.1: MRSP Issue #186: Requirement to Disclose Self-signed Certificates

github.com/BenWilson-Mozilla/pkipolicy/commit/5a3dd2e9d92ec689e08bf1cfa279121e2bb0478b . On Sun, Jan 24, 2021 at 3:12 PM Ben Wilson wrote: > As an alternative for this addition to MRSP section 5.3, please consider > and comment on: > > Thus, the operator of a CA certificate trusted in Mo

Re: Public Discussion of GlobalSign's CA Inclusion Request for R46, E46, R45 and E45 Roots

and see if people are satisfied and whether we can proceed with the root inclusion request. Sincerely, Ben On Fri, Feb 5, 2021 at 2:36 PM Ben Wilson wrote: > All, > Under Step 10 of the https://wiki.mozilla.org/CA/Application_Process, > this is notice of a "further question or con

Re: Public Discussion of GlobalSign's CA Inclusion Request for R46, E46, R45 and E45 Roots

indicated that it will provide an incident report by next Tuesday, 9-Feb-2021. Thanks, Ben On Tue, Feb 2, 2021 at 5:48 PM Ben Wilson wrote: > On January 11, 2021, we began the public discussion period [Step 4 of the > Mozilla Root Store CA Application Process > <https://wiki.mozilla.org/

Public Discussion for Inclusion of e-commerce monitoring's GLOBALTRUST 2020 Root

ary-2021. Sincerely yours, Ben Wilson Mozilla Root Program ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy

Action on Camerfirma Root CAs

All, Thank you for your continued participation in this discussion, and for those of you who have provided very thoughtful comments. As many of you have pointed out, there do not appear to be remediation actions that Camerfirma can take at this time to sufficiently reduce the risk of

Re: Public Discussion of GlobalSign's CA Inclusion Request for R46, E46, R45 and E45 Roots

begins a 7-day “last call” period for any final objections. Thanks, Ben On Mon, Feb 1, 2021 at 10:18 AM Ben Wilson wrote: > This is a reminder that I will close discussion on this tomorrow. > > On Mon, Jan 11, 2021 at 5:59 PM Ben Wilson wrote: > >> This is to announce the beg

Re: Public Discussion of GlobalSign's CA Inclusion Request for R46, E46, R45 and E45 Roots

This is a reminder that I will close discussion on this tomorrow. On Mon, Jan 11, 2021 at 5:59 PM Ben Wilson wrote: > This is to announce the beginning of the public discussion phase of the > Mozilla root CA inclusion process for GlobalSign. > > See https://wiki.mo

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

On Thu, Jan 28, 2021 at 12:44 PM Ryan Sleevi wrote: > > > On Thu, Jan 28, 2021 at 1:43 PM Ben Wilson via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> On second thought, I think that Mozilla can accomplish what we want >>

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

he CCADB. The edits that we'll make will just make it easier for us to go through the list above. Thoughts? Ben On Tue, Jan 26, 2021 at 1:36 PM Ben Wilson wrote: > Thanks, Clemens. I'll take a look. > > Also, apparently my redlining was lost when my message was saved to the > new

Re: Mozilla's Response to Camerfirma's Compliance Issues

All, So far there have been several good comments. Please keep them coming. I want to take this opportunity just to clarify a few of things. First, it has been Mozilla's long-standing position that, "We believe that the best approach to safeguarding secure browsing is to work with CAs as

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

Thanks, Clemens. I'll take a look. Also, apparently my redlining was lost when my message was saved to the newsgroup. I'll see if I can re-post without the text formatting of strikeouts and underlines. On Tue, Jan 26, 2021 at 10:24 AM Clemens Wanko via dev-security-policy <

Mozilla's Response to Camerfirma's Compliance Issues

Dear All, We appreciate your comments and participation in the discussion about the Summary of Camerfirma's Compliance Issues, https://wiki.mozilla.org/CA:Camerfirma_Issues. Mozilla has not yet made a decision about Camerfirma's continuation in our root store. We intend to continue with our

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

Here is my attempt to reword section 3.2 based on combining MRSP version 2.4.1 with version 2.7. My approach was to align the concepts of "competent", "independent" and "qualified" with their more-accepted meanings. Version 2.4.1 and earlier versions of the Mozilla Root Store Policy mixed some of

Re: Policy 2.7.1: MRSP Issue #187: Require disclosure of incidents in Audit Reports

for these requirements is to ensure that auditors are aware of the CA's compliance status. Thoughts? Thanks, Ben On Fri, Nov 6, 2020 at 10:36 AM Jeff Ward via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Thursday, October 22, 2020 at 1:53:40 PM UTC-5, Ben Wils

Re: Policy 2.7.1: MRSP Issue #186: Requirement to Disclose Self-signed Certificates

trusted in Mozilla’s CA Certificate Program. This applies to all non-technically constrained CA certificates, including those that are self-signed, doppelgänger, reissued, or cross-signed. On Thu, Nov 12, 2020 at 11:54 AM Ben Wilson wrote: > Jakob, > > On Thu, Nov 12, 2020 at 10:39 AM J

Re: Policy 2.7.1: MRSP Issue #152: Add EV Audit exception for Policy Constraints

In line with the proposed hyperlink to https://wiki.mozilla.org/CA/EV_Processing_for_CAs#EV_TLS_Capable from "capable of issuing EV certificates" (see Issue #147), then I don't think the proposed parenthetical is necessary anymore, and I think this issue can be considered resolved without needing

Re: MRSP Issue #147 - Require EV audits for certificates capable of issuing EV certificates

In addition to the original proposal, I propose that we hyperlink "capable of issuing EV certificates" to https://wiki.mozilla.org/CA/EV_Processing_for_CAs#EV_TLS_Capable. On Thu, Nov 12, 2020 at 11:23 AM Ben Wilson wrote: > > On Thu, Nov 12, 2020 at 2:03 AM Dimitris Zacharo

Re: Policy 2.7.1: MRSP Issue #153: Cradle-to-Grave Contiguous Audits

that does not resolve the issues raise, please provide recommended edits to section 3.1.3 of the MRSP that will make it more clear and less susceptible to misinterpretation. On Sun, Jan 24, 2021 at 12:55 PM Ben Wilson wrote: > I agree that we should add language that makes it more clear

Re: Policy 2.7.1: MRSP Issue #153: Cradle-to-Grave Contiguous Audits

I agree that we should add language that makes it more clear that the key destruction exception for audit only applies to the CA certificates whose key has been destroyed. I'm also hoping that a CAO wouldn't destroy a Root CA key if there were still valid subordinate CAs that the CAO might need

Policy 2.7.1: MRSP Issue #139: Audits required even if not issuing

I've updated this subject line for consistency with the other issues. On Tue, Oct 6, 2020 at 2:31 PM Ben Wilson wrote: > Here is the first issue for discussion here on the m.d.s.p. list relative > to the next version of the Mozilla Root Store Policy (v.2.7.1). > > #139 <htt

Policy 2.7.1: MRSP Issue #147 - Require EV audits for certificates capable of issuing EV certificates

12, 2020 at 11:23 AM Ben Wilson wrote: > > On Thu, Nov 12, 2020 at 2:03 AM Dimitris Zacharopoulos via > dev-security-policy wrote: > >> I see that this is related to >> https://github.com/mozilla/pkipolicy/issues/152, so I guess Mozilla >> Firefox does not enable &qu

Re: Policy 2.7.1: MRSP Issue #207: Require audit statements to provide information about which CA Locations were audited

ard wrote: > > On Tuesday, December 15, 2020 at 2:41:10 PM UTC-6, Ben Wilson wrote: > > > All, > > > > > > This email is part of the discussion for the next version of the > Mozilla > > > Root Store Policy (MSRP), version 2.7.1, to be published during of > Q1

Public Discussion of GlobalSign's CA Inclusion Request for R46, E46, R45 and E45 Roots

No misissuances were found under these roots, and the CA certificates passed technical tests. Thus, this email begins a three-week public discussion period, which I’m scheduling to close on or about Tuesday, 2-February-2021. Sincerely yours, Ben Wilson Mozilla Root Program __

Policy 2.7.1: MRSP Issue #218: Clarify CRL requirements for End Entity Certificates

This is the last issue that I have marked for discussion in relation to version 2.7.1 of the Mozilla Root Store Policy . It is identified and discussed in GitHub Issue #218

Policy 2.7.1: MRSP Issue #211: Align OCSP requirements in Mozilla's policy with the BRs

implementations? Thanks in advance for your suggestions / recommendations. Ben Wilson ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy

Policy 2.7.1: MRSP Issue #207: Require audit statements to provide information about which CA Locations were audited

All, This email is part of the discussion for the next version of the Mozilla Root Store Policy (MSRP), version 2.7.1, to be published during of Q1-2021. For audit delays, we currently require that audit statements disclose the locations that were and were not audited, but that requirement has

Re: FNMT: Public Discussion of Root Inclusion Request

that the BR self-assessment serves this purpose. This is notice that I am closing public discussion [Step 9] and that it is Mozilla’s intent to approve FNMT's request for inclusion [Step 10]. This begins a 7-day “last call” period for any final objections. Thanks, Ben On Wed, Dec 9, 2020 at 12:

Re: FNMT: Public Discussion of Root Inclusion Request

certificate profiles don't seem to point > > to anything, I got lost... > > > > So, sorry for the noise, I was very confused by the structure of the > repository. > > > > Now that I know where to look, I'll probably check the contents more > > thoroughl

Summary of Camerfirma's Compliance Issues

ctions, inputs, or updates that they may have. If anyone in this group believes they have an issue appropriate to add to the list, please send an email to certifica...@mozilla.org. Sincerely yours, Ben Wilson Mozilla Root Program ___ dev-security-policy m

Re: FNMT: Public Discussion of Root Inclusion Request

ribió: > > > On Wed, 18 Nov 2020, 01:06 Ben Wilson via dev-security-policy, > > > wrote: > > > > > > > > [...] > > > > > > > > *CP/CPS:* > > > > > > > > > https://www.sede.fnmt.gob.es/documents/10445900/1053

Re: Policy 2.7.1: MRSP Issue #206: Limit re-use of domain name verification to 398 days

s not addressed in this update, adding clarification on > domain verification reuse for SMIME would be a good improvement on the > existing policy. > > -Original Message- > From: dev-security-policy > On Behalf Of Ben Wilson via dev-security-policy > Sent: Wednesday, December 2,

Re: Policy 2.7.1: MRSP Issue #206: Limit re-use of domain name verification to 398 days

See my responses inline below. On Tue, Dec 1, 2020 at 1:34 PM Ryan Sleevi wrote: > > > On Tue, Dec 1, 2020 at 2:22 PM Ben Wilson via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> See responses inline below: >> >> On Tu

Re: Policy 2.7.1: MRSP Issue #206: Limit re-use of domain name verification to 398 days

mains/customers should not be affected until then. Cheers, Ben > > Doug > > -Original Message- > From: dev-security-policy > On Behalf Of Ben Wilson via dev-security-policy > Sent: Monday, November 30, 2020 2:27 PM > To: mozilla-dev-security-policy < > mozilla-dev

Policy 2.7.1: MRSP Issue #206: Limit re-use of domain name verification to 398 days

The purpose of this email is to begin public discussion on a modification to subsection 5 in section 2.1 of the Mozilla Root Store Policy. Issue #206 in GitHub discusses the need to bring the reuse period for domain validation in line with the

Re: CCADB Proposal: Add field called Full CRL Issued By This CA

FWIW - Here is a recent post on this issue from JC Jones - https://github.com/mozilla/crlite/issues/43#issuecomment-726493990 On Thu, Nov 19, 2020 at 4:00 PM Ryan Hurst via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Wednesday, November 18, 2020 at 8:26:50 PM UTC-8,

Re: FNMT: Public Discussion of Root Inclusion Request

https://www.aenor.com/Certificacion_Documentos/eiDas/2020%20AENOR%20Anexo%202%20ETSI%20319%20411-1%20PSC-2019-003%20-%20FNMT-v2.pdf On Tue, Nov 17, 2020 at 5:06 PM Ben Wilson wrote: > All, > > This is to announce the beginning of the public discussion phase of the > Mozilla root

FNMT: Public Discussion of Root Inclusion Request

presentative of the CA responds to questions and concerns posted during the public discussion of the CA's request." Again, this email begins a three-week public discussion period, which I’m scheduling to close on or about 9-December-2020. Sincerely yours, Ben Wilson Mozilla Root Program

Re: Policy 2.7.1: MRSP Issue #186: Requirement to Disclose Self-signed Certificates

Jakob, On Thu, Nov 12, 2020 at 10:39 AM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > How would that phrasing cover doppelgangers of intermediary SubCAs under > an included root CA? > > > To clarify, the title of section 5.3 is "Intermediate

Re: Policy 2.7.1:MRSP Issue #205: Require CAs to publish accepted methods for proving key compromise

On Thu, Nov 12, 2020 at 2:57 AM Dimitris Zacharopoulos wrote: > > I believe this information should be the "minimum" accepted methods of > proving that a Private Key is compromised. We should allow CAs to accept > other methods without the need to first update their CP/CPS. Do people > think

Re: MRSP Issue #147 - Require EV audits for certificates capable of issuing EV certificates

On Thu, Nov 12, 2020 at 2:03 AM Dimitris Zacharopoulos via dev-security-policy wrote: > I see that this is related to > https://github.com/mozilla/pkipolicy/issues/152, so I guess Mozilla > Firefox does not enable "EV Treatment" if an Intermediate CA Certificate > does not assert the anyPolicy

Re: Policy 2.7.1: MRSP Issue #186: Requirement to Disclose Self-signed Certificates

y concerning cross-certificates and > self-signed certificates. > > Thanks, > Corey > > On Wednesday, October 28, 2020 at 8:25:50 PM UTC-4, Ben Wilson wrote: > > Issue #186 in Github <https://github.com/mozilla/pkipolicy/issues/186> > > deals with the disclosure o

Re: Policy 2.7.1: Process Overview

of their full and complete CRL in the CCADB. Not sent to m.d.s.p. list yet On Mon, Nov 9, 2020 at 2:14 PM Ben Wilson wrote: > Re-posting this email to start it with its own subject line and to start a > new thread: > > There have been questions about the process being followed

Re: NAVER: Public Discussion of Root Inclusion Request

This email closes public discussion and is notice that it is Mozilla’s intent to approve NAVER's request for inclusion. (This starts a 7-day period of last call for objections.) On Mon, Nov 9, 2020 at 2:10 PM Ben Wilson wrote: > Step 6 of CA Application Process > <https://wiki.mozil

Policy 2.7.1: Process Overview

his batch of changes). Sincerely yours, Ben Wilson Mozilla Root Store ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy

Re: NAVER: Public Discussion of Root Inclusion Request

ike all certificates with a stateOrProvinceName > > > field are misissued. The ST field should probably be the "Gyeonggi-do" > as > > > the "Seongnam-si" entered is a city. > > > > > > > > > > > > > > > > ‐‐‐

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

ms, and then in late December / early January for those that are more contentious (assuming they remain in this batch of changes). Sincerely yours, Ben Wilson Mozilla Root Store On Mon, Nov 9, 2020 at 2:45 AM Dimitris Zacharopoulos via dev-security-policy wrote: > > > On 7/11/2020

Policy 2.7.1:MRSP Issue #205: Require CAs to publish accepted methods for proving key compromise

that certain instructions be provided in section 1.5.2 of the CPS, but we believe that the overlap can be worked through during this discussion and, if not, a related discussion within the CA/Browser Forum. We look forward to your comments and suggestions on this issue. Sincerely yours, Ben Wilson Mozilla Root

Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

Historically, Mozilla Policy required that CAs "provide attestation of their conformance to the stated verification requirements and other operational criteria by a competent independent party or parties with access to details of the CA's internal operations."

Re: NAVER: Public Discussion of Root Inclusion Request

he ST field should probably be the "Gyeonggi-do" as > the "Seongnam-si" entered is a city. > > > > > > > > ‐‐‐ Original Message ‐‐‐ > > On Friday, 9 October 2020 23:09, Ben Wilson via dev-security-policy < > dev-secur...@lists.mozilla.

Policy 2.7.1: MRSP Issue #186: Requirement to Disclose Self-signed Certificates

Issue #186 in Github deals with the disclosure of CA certificates that directly or transitively chain up to an already-trusted, Mozilla-included root. A common scenario for the situation discussed in Issue #186 is when a CA creates a second (or

Policy 2.7.1: MRSP Issue #173: Strengthen requirement for newly included roots to meet all current requirements

The current language of MRSP section 7.1 says, "Before being included, CAs MUST provide evidence that their CA certificates have continually, from the time of creation, complied with the then-current Mozilla Root Store Policy and Baseline Requirements." If an older root were to be submitted for

Policy 2.7.1: MRSP Issue #187: Require disclosure of incidents in Audit Reports

The purpose of this email is to begin public discussion on the addition of a subsection 11 to section 3.1.4 of the Mozilla Root Store Policy. Issue #187 in GitHub proposes to require audit reports to list all incidents occurring (or open) during

Policy 2.7.1: MRSP Issue #154: Require Management Assertions to list Non-compliance

The purpose of this email is to begin public discussion on an addition to section 2.4 of the Mozilla Root Store Policy. Issue #154 in GitHub proposes to require that management assertions (CA disclosures to auditors) provide written mention of all

Re: NAVER: Public Discussion of Root Inclusion Request

; > > > ‐‐‐ Original Message ‐‐‐ > On Friday, 9 October 2020 23:09, Ben Wilson via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > Dear All, > > > > This is to announce the beginning of the public discussion phase of

Re: Policy 2.7.1: MRSP Issue #152: Add EV Audit exception for Policy Constraints

e. Also, I haven't mapped out how this might affect CAs that we sometimes add to the root store without EV enablement and with the suggestion that they apply later for it. On Sat, Oct 17, 2020 at 12:26 AM Ryan Sleevi wrote: > > > On Thu, Oct 15, 2020 at 4:36 PM Ben Wilson via dev-secur

Policy 2.7.1: MRSP Issue #153: Cradle-to-Grave Contiguous Audits

This issue #153, listed here: https://github.com/mozilla/pkipolicy/issues/153, is proposed for resolution with version 2.7.1 of the Mozilla Root Store Policy. It is related to Issue 139 (audits required even if not issuing). The first paragraph of

Policy 2.7.1: MRSP Issue #152: Add EV Audit exception for Policy Constraints

This issue is presented for resolution in the next version of the Mozilla Root Store Policy. It is related to Issue #147 (previously posted for discussion on this list on 6-Oct-2020). Possible language is presented here:

NAVER: Public Discussion of Root Inclusion Request

on Monday, 2-November-2020. Sincerely yours, Ben Wilson Mozilla Root Program ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy

Re: Policy 2.7.1 Issues to be Considered

uld be a > useful clarification alongside issue 147, as it will better define the > parameters that determine if a given intermediate is “EV capable”. > > Thanks, > Corey > -- > *From:* dev-security-policy > on behalf of Ben Wilson via dev-secur

MRSP Issue #147 - Require EV audits for certificates capable of issuing EV certificates

#147 - Require EV audits for certificates capable of issuing EV certificates – Clarify that EV audits are required for all intermediate certificates that are technically capable of issuing EV certificates, even when not currently issuing EV

MRSP Issue #139: Audits required even if not issuing

Here is the first issue for discussion here on the m.d.s.p. list relative to the next version of the Mozilla Root Store Policy (v.2.7.1). #139 - Audits are required even if no longer issuing - Clarify that audits are required until the CA

Re: Policy 2.7.1 Issues to be Considered

tes would become > effective, and specifically this item: > >https://github.com/mozilla/pkipolicy/issues/206 > > Doug > > -Original Message- > From: dev-security-policy > On Behalf Of Ben Wilson via dev-security-policy > Sent: Thursday, October 1, 2020 4:

Sectigo to Be Acquired by GI Partners

As announced previously by Rob Stradling, there is an agreement for private investment firm GI Partners, out of San Francisco, CA, to acquire Sectigo. Press release: https://sectigo.com/resource-library/sectigo-to-be-acquired-by-gi-partners. I am treating this as a change of legal ownership

Policy 2.7.1 Issues to be Considered

certificates. If the CA uses partial CRLs, then require CAs to provide the URL location of their full and complete CRL in the CCADB. Ben Wilson Mozilla Root Program Manager ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy

  1   2   3   >